From patchwork Mon Mar 14 14:12:53 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josh Boyer <jwboyer@fedoraproject.org>
X-Patchwork-Id: 8579301
Return-Path: <linux-input-owner@kernel.org>
X-Original-To: patchwork-linux-input@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 76ACE9F54C
	for <patchwork-linux-input@patchwork.kernel.org>;
	Mon, 14 Mar 2016 14:13:11 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 79CB720219
	for <patchwork-linux-input@patchwork.kernel.org>;
	Mon, 14 Mar 2016 14:13:09 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 837C6201FA
	for <patchwork-linux-input@patchwork.kernel.org>;
	Mon, 14 Mar 2016 14:13:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755635AbcCNONG (ORCPT
	<rfc822;patchwork-linux-input@patchwork.kernel.org>);
	Mon, 14 Mar 2016 10:13:06 -0400
Received: from mail-yw0-f171.google.com ([209.85.161.171]:33864 "EHLO
	mail-yw0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755000AbcCNONE (ORCPT
	<rfc822;linux-input@vger.kernel.org>);
	Mon, 14 Mar 2016 10:13:04 -0400
Received: by mail-yw0-f171.google.com with SMTP id h129so168341143ywb.1;
	Mon, 14 Mar 2016 07:13:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id;
	bh=Xrqiv7fD5rlIo46qt3KyS2TiywkNYBo5ERJwfj9H8to=;
	b=HO3CaR69VXkpFHWwygpVCYe7keXI26TQxIicdCNo+hK6uGYNeExGElOyAztYChF0fH
	MZdQEeQuqvUriNCBVfAzxxZ6HIoQQxH8IONDjhoflpTSwbyFRGoPF2NmzV4SRxDMB+6l
	eYj0naDS5ePjpW0USjCEmkIFBaz600RPgEpm7/th9/bB8QEyUgdqTreYoFEizEQF2OgY
	hvOxe/j//uo5NMU0kUwoBnKR/QnTm1EiIRr1jg+SNhH+YydbgZNg8ZjlN6Dr1REj18/i
	oplo457+0i+rpjABppgncCoD6t6S99xkiLpQCZiVezHuUEbeCVHj9sNAtz7HpnN0iV1Y
	uoHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=Xrqiv7fD5rlIo46qt3KyS2TiywkNYBo5ERJwfj9H8to=;
	b=frBYP5tkZ15ZwVbSQCQp7lNhWKyrCbV4imB2N3r7mmZESwIFnmuLHrylMIGfpsVjRg
	6ulc0+JeBDCznQdCrG2q+D2lPmk9qCWW4uHVGd6ySESTEgq9dflrpEiO44k7i1JjMH1+
	w8m66PBO+4YQTJoP1cCG3cqMP6wLKKkzZuGIpV3A4LDGcWCqZOtCXVdvhd0R3BwnipgR
	w2PZyxKhA69zda6OJ6EkD0bgELpwl44VRazo602Poo/t5MpqQzAjjCJ41i1t0XUvZ1xP
	4iZ4B/EJQ2UwpYFtSWDEoKl4NSLLL4CHF3mpLZfH1GYeMLH258KyAwU8eejEBdifCqqC
	pPhQ==
X-Gm-Message-State: 
 AD7BkJJTX3wFRg96+54bb61Oh0ZQ58+41ZQH6yjbVd91Jf5lL7CzkprwRW4w4gjDh6H6UQ==
X-Received: by 10.13.202.195 with SMTP id
	m186mr11955457ywd.151.1457964783743;
	Mon, 14 Mar 2016 07:13:03 -0700 (PDT)
Received: from vader.localdomain (24-247-106-71.dhcp.aldl.mi.charter.com.
	[24.247.106.71]) by smtp.gmail.com with ESMTPSA id
	204sm14037137ywr.32.2016.03.14.07.13.02
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 14 Mar 2016 07:13:03 -0700 (PDT)
From: Josh Boyer <jwboyer@fedoraproject.org>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-input@vger.kernel.org, linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org, stable <stable@vger.kernel.org>
Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
	descriptors
Date: Mon, 14 Mar 2016 10:12:53 -0400
Message-Id: <1457964773-29512-1-git-send-email-jwboyer@fedoraproject.org>
X-Mailer: git-send-email 2.5.0
Sender: linux-input-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The powermate driver expects at least one valid USB endpoint in its
probe function.  If given malicious descriptors that specify 0 for
the number of endpoints, it will crash.  Validate the number of
endpoints on the interface before using them.

The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
 drivers/input/misc/powermate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
index 63b539d3daba..84909a12ff36 100644
--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
 	int error = -ENOMEM;
 
 	interface = intf->cur_altsetting;
+	if (interface->desc.bNumEndpoints < 1)
+		return -EINVAL;
+
 	endpoint = &interface->endpoint[0].desc;
 	if (!usb_endpoint_is_int_in(endpoint))
 		return -EIO;